Hello,
great that's just what I built :) here is the PR:
https://github.com/keycloak/keycloak/pull/4370
I'm not sure about the error handling if a configured password list cannot
be found on the filesystem.
https://github.com/keycloak/keycloak/pull/4370/files#diff-91236e069747f156edbd2c282fec8d92R78
Looking forward to your feedback :)
Cheers,
Thomas
2017-08-03 12:11 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
> +1 for filesystem.
>> Marek
>>> On 29/07/17 10:06, Thomas Darimont wrote:
>>> Okay cool.
>>>> Instead of storing the password blacklist in the database I could instead
>> just refer to a password
>> blacklist that lives on the file system.
>>>> So Keycloak could ship with some of the lists from [0] and refer to those
>> with a name like "default-blacklist1000", "default-blacklist-100000"
>> in the BlacklistPasswordPolicy
>> config
>> within the admin-console.
>>>> The "default-blacklist-100000" blacklist would then be mapped and resolve
>> to
>> something like
>> "META-INF/password-blacklist/10_million_password_list_top_100000.txt".
>>>> Users could provide their own blacklists with the provider config stored
>> in
>> standalone.xml
>> than could then be adjusted via jboss-cli.
>>>> I think this filesystem based approach is better than having to load and
>> store big text-blobs in the database.
>>>> Cheers,
>> Thomas
>>>> [0] https://github.com/danielmiessler/SecLists/tree/master/Passwords>> Using those password lists seems to be allowed according to their license:
>>https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project>> which is Creative Commons Attribution ShareAlike 3.0 License
>> -> IANAL but it seems to be useable in commercial products as well
>>https://creativecommons.org/licenses/by-sa/3.0/>> as long as the authors are mentioned.
>>>>>> 2017-07-28 22:03 GMT+02:00 Bill Burke <bburke at redhat.com>:
>>>> Yah, that sounds cool.
>>>>>>>>> On 7/28/17 11:48 AM, Thomas Darimont wrote:
>>>>>>> Hello,
>>>>>>>> I build a configurable Password Policy that allows to match a given
>>>> password against
>>>> a blacklist with easy to guess passwords that should be not allowed as
>>>>>>> user
>>>>>>> passwords.
>>>>>>>> The 'BlacklistPasswordPolicyProvider' can be configured via the admin
>>>> UI
>>>> with a ";" delimited list of easy to guess passwords.
>>>>>>>> If the user / or admin want's to change the password it is checked
>>>>>>> against
>>>>>>> the blacklist.
>>>> A password list can be found here:
>>>>https://github.com/danielmiessler/SecLists/tree/master/Passwords>>>>>>>> A blacklist is of course not a perfect solution but could still be
>>>> useful
>>>> for some users.
>>>>>>>> Password blacklist would be compiled to a trie at startup (and on
>>>> changes
>>>> of the blacklist)
>>>> for efficient lookups.
>>>>>>>> WDYT?
>>>>>>>> Cheers,
>>>> Thomas
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>>keycloak-dev at lists.jboss.org>>>>https://lists.jboss.org/mailman/listinfo/keycloak-dev>>>>>>> _______________________________________________
>>> keycloak-dev mailing list
>>>keycloak-dev at lists.jboss.org>>>https://lists.jboss.org/mailman/listinfo/keycloak-dev>>>>>> _______________________________________________
>> keycloak-dev mailing list
>>keycloak-dev at lists.jboss.org>>https://lists.jboss.org/mailman/listinfo/keycloak-dev>>>>>